We should firstly ensure our system is up to date:
yum update
and proceed by disabling firewalld
systemctl stop firewalld
systemctl mask firewalld
and also disabling selinux:
vi /etc/selinux/config
and add / modify the line:
SELINUX=disabled
and setting permisive mode (so we don't need to do a reboot):
setenforce 0
and then download and compile squid from source:
yum install perl perl-Crypt-OpenSSL-X509 && yum groupinstall "Development Tools"
cd /tmp
curl -O http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.19.tar.gz
tar zxvf squid-3.5.19.tar.gz
cd squid-3.5.19
./configure --prefix=/usr/local/squid --enable-delay-pools
make all
make install
create our squid user:
useradd squid -s /sbin/nologin
chown -R squid:squid /usr/local/squid/var/logs
chown -R squid:squid /usr/local/squid/var/cache
and then lets create our squid config:
vi /etc/squid/squid.conf
and add:
cache_dir ufs /usr/local/squid/var/cache/squid 15000 16 256
cache_effective_user squid
cache_effective_group squid
# tweaks
dns_v4_first on
visible_hostname myproxy.local
http_port <your-interface-address>:3128 transparent
## Define our network ##
acl our_network src <your-subnet/24>
## make sure that our network is allowed ##
http_access allow our_network
## finally deny everything else ##
http_access deny all
and initialize the cache:
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z
/usr/local/squid/sbin/squid -z
Now lets setup the firewall configuration...
Firstly ensure ip forwarding is enabled:
vi /etc/sysctl.conf
and add:
net.ipv4.ip_forward = 1
and ensure it persists reboot:
/sbin/sysctl -p /etc/sysctl.conf
and then install / enable iptables:
yum install iptables-services
systemctl enable iptables
systemctl start iptables
and create our iptables ruleset:
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o <source-interface> -j MASQUERADE
iptables -t nat -A PREROUTING -i <source-interface> -p tcp --dport 80 -j REDIRECT --to-port 3128
0 comments:
Post a Comment